OSSで始めるセキュリティログ収集/oss-securitylog-builderscon2017

D405f3b9dc9fa223f6fa507717f41372?s=47 bungoume
August 05, 2017
Technology
28
9.2k

 OSSで始めるセキュリティログ収集/oss-securitylog-builderscon2017

osqueryの紹介
https://builderscon.io/tokyo/2017/session/ce1bf3ee-33bd-4899-897d-ba3c4364c1c5

D405f3b9dc9fa223f6fa507717f41372?s=128

bungoume

August 05, 2017
Tweet

Want more?

D405f3b9dc9fa223f6fa507717f41372?s=48 bungoume
3
890
D405f3b9dc9fa223f6fa507717f41372?s=48 bungoume
5
2.6k
D405f3b9dc9fa223f6fa507717f41372?s=48 bungoume
1
880
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
7
400
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
1
220
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
0
140
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
6
270
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
5
200
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
3
290
C35e01544a0dd94a2cf1619ee8a42ebb?s=48 clairelew
3
520
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
1
150
B3ace07412a5178ea778e7eec161fc0a?s=48 jcasabona
4
240

Transcript

  1. 1.

    1 OSSͰ࢝ΊΔ ηΩϡϦςΟϩάऩू ക࡚ ༟ར builderscon tokyo 2017

  2. 2.

    2 ࣗݾ঺հ ക࡚ɹ༟ར (Yuri Umezaki) DevOps: ϩά෼ੳɾݕࡧAPIɾΠϯϑϥ؅ཧ Python, Elasticsearch, Docker

  3. 3.

    3 Ξϯέʔτ ɾ։ൃऀ ɾӡ༻ɺΠϯϑϥ؅ཧऀ ɾηΩϡϦςΟΤϯδχΞ ͋ͳͨͷۀ຿ʹ͍ۙͷ͸

  4. 4.

    4 ηΩϡϦςΟڴҖ վ͟Μɾ৘ใྲྀग़ ϥϯαϜ΢ΣΞ etc… ɾ಺෦ෆਖ਼ ɹ(ૢ࡞ϛε) ϑΝΠΞ΢Υʔϧ IDS/IPS/WAF αʔό(ػີσʔλ)

    ੬ ऑ ੑ ͳͲ ɾ֎෦߈ܸ ڴҖ͸֎෦ͱ಺෦ ྆ํʹજΉ
  5. 5.

    ɾ཈ࢭɿࢥ͍ͱͲ·ΒͤΔ 5 ηΩϡϦςΟରࡦͷ෼ྨ ɾ༧๷ɿΞΫηε੍ޚͳͲ ɾݕ஌ɿ໰୊Λݕग़ɺ෮چͷख͕͔ΓΛه࿥ ɾ෮چɿෆਖ਼ͷ͋ͬͨલʹ໭͢ Ұൠʹ4ͭʹ෼ྨ ཈ࢭɾ༧๷ͱ͍ͬͨ๷ޚͷରࡦ͕ଟ͍

  6. 6.

    6 ৵ೖ΁ͷؾ͖ͮํ ɾࣾ಺ͷਓ͕ෆ৹ͳ఺ʹؾ෇͘ ɾ֎෦ͷ਌੾ͳϗϫΠτϋοΧʔ͔Βͷ࿈བྷ ɾϢʔβ͔Βͷ໰͍߹ΘͤͰൃ֮ ɾ߈ܸऀࣗ਎͕ڭ͑ͯ͘ΕΔ ← ໿൒਺͕֎෦͔Βͷࢦఠ*ͱ͍͏࿩΋ * FireEye

    M-Trends 2017: ηΩϡϦςΟ৵֐͓ΑͼαΠόʔ߈ܸͷ೥ؒτϨϯυ https://www.fireeye.jp/current-threats/annual-threat-report/mtrends.html
  7. 7.

    7 ֎෦߈ܸͷݕग़ ɾΞΫηεϩά΍IDS౳Ͱෆ৹ͳ௨৴Λݕग़ ɾϗετܕηΩϡϦςΟ੡඼Ͱݕ஌ ֎ͱαʔόͷதؒ੡඼Ͱ͋Δఔ౓कΒΕ͍ͯΔ ࠷ޙ͸ϗετʢαʔόࣗମʣͰݕग़͢Δ͔͠ͳ͍ αʔόͰ΋࠷௿ݶͷϩά͸ऩू͓͖͍ͯͨ͠

  8. 8.

    8 ಺෦ෆਖ਼ͷݕग़ ɾ୭͕͍ͭαʔόʹϩάΠϯ͍ͯ͠Δ͔ ɾαʔόͰԿΛ͍ͯ͠Δ͔(ૢ࡞ϩά) γεςϜ؅ཧऀͷೝূϩά͕ॏཁ ·ͣ͸αʔόͰͷೝূɾૢ࡞ϩάΛऩू͍ͨ͠

  9. 9.

    9 ૢ࡞ϩάͲ͏औΔʁ ɾbash history ɾscriptίϚϯυ ɾpsacct ɾaudit ؆୯ʹه࿥ఀࢭɾॻ͖׵͑Ͱ͖ͯ͠·͏ Ҿ਺ͳͲ͕֬ೝͰ͖ͳ͍,ίϚϯυ໊௕੍ݶ ؂ࠪϩάͱͯ͠ྑͦ͞͏

  10. 10.

    10 audit log # systemctl start auditd # auditctl -a

    always,exit -F arch=b64 -S execve ls ͚ͩͰෳ਺ߦϩά͕ग़Δ ύʔε͠ʹ͍͘… /var/log/audit/audit.log
  11. 11.

    11 audit logΛ׆༻͍ͨ͠ ɾgo-audit Slack੡ͷauditlogΛ͍͍ײ͡ʹύʔε͢Δπʔϧ ɾElastic Beats Filebeat 5.4(2017/5/4) ΑΓauditlogͷύʔα௥Ճ!

    ɾosquery ↑ࠓճ͸͜Ε ࢲͷ஌͍ͬͯΔൣғͰ͸ҎԼͷύʔα͕ศརͦ͏
  12. 12.

    12 osquery Facebook੡ͷϚγϯঢ়گ֬ೝπʔϧ ɾSQLͰ࣮ߦதͷϓϩηεɺϩάΠϯঢ়گͳͲ͕֬ೝͰ͖Δ osqueryi ɾεέδϡʔϧ࣮ߦͰϩάΛग़͠ɺ؂ࢹʹ΋ར༻Ͱ͖Δ osqueryd ɾLinux͚ͩͰͳ͘ɺwindows, macͰ΋ར༻Մೳ ஫:

    OSʹΑͬͯऔΕͳ͍छྨ͕͋Γ·͢ɻaudit events͸Ubuntu,CentOSͷΈ
  13. 13.

    13 osquery 2017/8/3 ݱࡏ githubͷstar͸9501 Linux Security Tools (Top 100)

    *ͷ10൪໨ʹ঺հ * https://linuxsecurity.expert/security-tools/top-100/
  14. 14.

    14 Linux Security Tools (Top 100) * https://linuxsecurity.expert/security-tools/top-100/

  15. 15.

    15 ࿅श: macͰosquery $ brew install osquery

  16. 16.

    16 ࿅श: macͰosquery chrome֦ுͳͲ·Ͱ෼͔Δ

  17. 17.

    17 LinuxͰosqueryd vim /etc/osquery/osquery.conf osqueryΛఆظ࣮ߦͯ͠ϩάʹग़ͯ͠ΈΔɹ service osqueryd restart

  18. 18.

    18 osquerydͷϩά /var/log/osquery/osqueryd.results.log ʹϩά͕JSONͰॻ͖ग़͞ΕΔ

  19. 19.

    19 audit events ֎෦ͱͷ௨৴ཤྺΛऔΔͳΒsocket_events΋ vim /etc/osquery/osquery.conf

  20. 20.

    20 audit events /etc/osquery/osquery.flags ʹҎԼΛهࡌ socket_eventsΛऔಘ͢Δ৔߹͸ ΋ඞཁ
 ʢ஫:͜ͷΦϓγϣϯΛ͚ͭΔͱCPU࢖༻཰͕૿͑Δʣ

  21. 21.

    21 process_events ϩά lsͷ࣮ߦϩά

  22. 22.

    22 socket_events ϩά

  23. 23.

    23 ϑΝΠϧ੔߹ੑ؂ࢹ ࡞੒/มߋ/࡟আΛϑΝΠϧ΍ύε୯ҐͰ؂ࢹ vim /etc/osquery/osquery.conf

  24. 24.

    24 ϑΝΠϧ੔߹ੑ؂ࢹ ϩά AIDE,OSSEC,Tripwire ͋ͨΓͷ୅ସʹͳΔ͔΋ echo “message” >> /etc/test ޙͷϩά

  25. 25.

    25 osquery ৭ʑऔΕΔ! ೝূɾૢ࡞ϩάΛऔΔ໨తͰܾΊ͚ͨͲ
 ϗετܕIDSͱͯ͠े෼ػೳͦ͠͏ υΩϡϝϯτ΋ॆ࣮ ίϚϯυ׳Εͯͳ͍ਓʹ΋࢖͍΍͍͢ʢ͔΋ʣ εέδϡʔϧ࣮ߦͰ͖Δ ݁Ռ͕JSONͰు͖ग़͞ΕΔͷͰ׆༻ָ͕ʢॏཁʣ

  26. 26.

    26 osquerydͷ࢓૊Έ(ͬ͘͟Γ) ಺෦Ͱ͸RocksDBͱ͍͏key-valueܕσʔλετΞΛར༻ https://code.facebook.com/posts/1411870269134471/how-rocksdb-is-used-in-osquery/ osqueryd͸ఆظΫΤϦΛ࣮ߦ࣌
 લճͷ݁Ռ͕RocksDBʹ֨ೲ͞Ε͍ͯͳ͍͔νΣοΫ͢Δ ɾσʔλ͕ͳ͍৔߹ - ͢΂ͯͷߦΛදࣔ͠ɺ݁ՌΛ֨ೲ ɾҎલͷ݁Ռ͕DBʹ͋Δ৔߹

    - 2ͭͷσʔληοτΛൺֱ͠ɺࠩ෼Λग़ྗ
  27. 27.

    27 osquerydͷ࢓૊Έ(ͬ͘͟Γ) ఆظ֬ೝͷؒʹมߋͯ͠໭ͨ͠Β௨஌͞Εͳ͍ͷͰ͸ʁ ϑΝΠϧ੔߹ੑ؂ࢹʹ͍ͭͯ Event-based monitoringͳͷͰมߋͷ৘ใ͕อ࣋͞ΕΔ (fileͰ͸inotify͓ΑͼFSEventsΛ࢖༻)

  28. 28.

    28 ԿΛ؂ࢹର৅ʹ͢Δ͔(Ұྫ) ɾೝূϩάʢϩάΠϯΠϕϯτʣ ɾૢ࡞ϩά ɾ௨৴ϩά ɾϋʔυ΢ΣΞ઀ଓϩά

  29. 29.

    29 ԿΛ؂ࢹର৅ʹ͢Δ͔(୺຤) ɾChrome, firefoxͷplugin ɾ֦ுػೳʹϚϧ΢ΣΞ͕ೖΔέʔε͕ۙ೥໰୊ʹ ɾhomebrew౳ϥΠϒϥϦͷҰཡ ɹɾ༗໊ॴͱࣅ໊ͨલͷϚϧ΢ΣΞ͕npmͰݟ͔ͭΔ HTTP Headers ͱ͍͏

    5ສਓ͕࢖͍ͬͯΔ Chrome ֦ுͷϚϧ΢ΣΞٙ࿭ http://blog.clock-up.jp/entry/2016/11/03/http-headers-malware npmjs.com Ͱஶ໊ιϑτ΢ΣΞʹΑ͘ࣅ໊ͨલͷϚϧ΢ΣΞ͕େྔʹൃݟ͞Εͨ http://gfx.hatenablog.com/entry/2017/08/02/131537
  30. 30.

    30 Pack osquery_monitoring it_compliance, incident_response osx-attacks, vuln-management osqueryʹ͸ΫΤϦύοΫ΋༻ҙ͞Ε͍ͯΔ hardware-monitoring

  31. 31.

    31 osquery.conf ઃఆྫ ·ͣ͸Pack + ࢖͏ͱ͜Ζ͔Β

  32. 32.

    32 Logrotate΋๨Εͣʹ ݁ߏͳϩάͷྔʹͳΔͷͰɺlogrotate͸ඞཁ /etc/logrotate.d/osqueryd dailyͩͱਏ͍͜ͱ΋͋ΔͷͰhourly͕ྑ͍͔΋

  33. 33.

    33 ϩάΛूΊΔ S3

  34. 34.

    34 FluentdͰύʔε JSONͳͷͰfluentdͰͷύʔε͕؆୯

  35. 35.

    35 Elasticsearch΁ϩάอଘ

  36. 36.

    36 ϢʔβͷίϚϯυཤྺ

  37. 37.

    37 sshdϩάΠϯࢼߦ

  38. 38.

    38 ϩάͷ࢖͍ํɺӡ༻ ElasticsearchʹϩάೖΕ͓͚ͯ͹ɺ Elastalert΍WatcherΛར༻ͯ͠ ҟৗͳૢ࡞΍஫ҙ͕ඞཁͳίϚϯυΛݕࡧ/௨஌Մೳʹ

  39. 39.

    39 νϟοτπʔϧʹ௨஌ ϩάΠϯΠϕϯτΛSlackʹ௨஌͢Δ ௨஌͕͋ͬͨΒ࣮ߦऀ͕֬ೝίϝϯτ͢Δ͜ͱͰ ͩΕ͕ɾ͍ͭɾͲ͏͍͏໨తͰαʔόૢ࡞͍ͯ͠Δ͔
 ৘ใڞ༗ͱ(Ұछͷ)ଟཁૉೝূ͕Ͱ͖Δ

  40. 40.

    40 ஫ҙ఺ͳͲ ɾosqueryͷ։ൃ͸׆ൃ ɹɾҎલ͸Disk IO͕૿͑Δόά͕͋ͬͨ(मਖ਼ࡁ) ɾϝϞϦ͸100MB΄Ͳফඅ ɾsocket؂ࢹΛ༗ޮʹ͢ΔͱCPUΛফඅ(5%ఔ౓?) ɾosqueryd͸εέδϡʔϧํࣜ ɹɾϩάॻ͖ग़͠Ͱ׬શੑ͸গ͠ऑ͍ ɹɾgo-auditͳͲπʔϧΛ૊Έ߹Θͤͯ࢖͍·͠ΐ͏

  41. 41.

    41 OSSͰ࢝ΊΔ ηΩϡϦςΟϩάऩू ക࡚ ༟ར builderscon tokyo 2017

  42. 42.

    42 OSS osqueryͰ࢝ΊΔ ηΩϡϦςΟϩάऩू ക࡚ ༟ར builderscon tokyo 2017

  43. 43.

    43 ·ͱΊ ɾηΩϡϦςΟӡ༻ෛՙ͕গͳ͍ܗͰશମઃܭ͢Δ ɾ༏ઌ౓ͷߴ͍ϩά͔Β׆༻͍ͯ͘͠ ɾϩάͷվ͟Μ΍ϩετΛճආ͢Δػߏ΋ݕ౼͠Α͏ ɾ߈ܸͷ༧๷΍෮چ΁ͷखॱཱ֬΋େ੾

  44. 44.

    44 osquery͸ۜͷ஄ؙͰ͸ͳ͍ ૊Έ߹Θͤͯར༻͠·͠ΐ͏ osqueryೖΕͯOKͰ͸ͳ͘

  45. 45.

    45 osquery ೔ຊͰ΋࢖͍͖ͬͯ·͠ΐ͏